Compute nodes are used in data centers and other deployments in order to provide significant computing resources as a service or tool used by other computing entities. By using a network of compute nodes it is possible to distribute work load in order to deal with huge computing tasks in a practical manner.
Security of processes within such compute nodes is an ongoing problem since often the processes are dealing with highly confidential data such as data identifying individuals, transactions, and other sensitive information. Where an individual compute node, or a network of compute nodes is being used by more than one party, often resources of the compute nodes such as caches are shared between the processes of the different parties. As a consequence various types of side-channel attack are possible whereby a malicious party is able to infer the sensitive information of one or more of the other parties. A side-channel attack occurs when an unauthorized party infers sensitive information by observing behavior such as memory accesses, times of events and other behavior in the network of compute nodes.
Some previous approaches to mitigating side-channel attacks have sought to use specially designed algorithms to be executed in the network of compute nodes in a manner which obfuscates patterns of memory accesses which otherwise potentially reveal confidential information to malicious observers. This adds significant performance overhead. Other approaches have sought to mitigate side-channel attacks after detecting them but this is not ideal since it is difficult to detect side-channel attacks as a result of their nature. Some approaches have sought to eliminate resource sharing but often this leads to reduction in efficiency as the resource sharing is typically done to improve efficiency.
The embodiments described below are not limited to implementations which solve any or all of the disadvantages of known compute nodes.